2015-08-28 6:16 GMT+02:00 Alan Kirby alankirby2@gmail.com:
Hi Folks
Had a result from flashrom that asked me to send this log to you guys. I'm certainly thankful for that.
The mainboard flash ROM had (probably still has) malware within it that is persistent. Maybe it's lighteater.
You can extract the chip's content, from file, using bios_extract: https://github.com/coreboot/bios_extract and/or radare: http://rada.re/
Since I haven't fully diagnosed it, I've attached a 64KiB file that is a dump of the boot block: F'0000 - F'FFFF. One of the things it does is prevent afudos (engineer's version) from overwriting the boot block.
The bootblock, or in this case whole chip protection is put in place by the vendor BIOS.
Another thing it does : if you hit Enter at the afudos command, then pull out the keyboard cable, the Disk Driver (INT 13h handler) throws an error, saying there was a disk read error. That shouldn't happen, so these interrupt handlers are checking up on each other, in order to achieve overall persistence.
BY ALL MEANS: THEN DON'T PULL OUT THE KEYBOARD CABLE? One could permanently break a mainboard, or at least its PS/2 port, by doing so.
So, to get round these protections, I was attempting to shift away from FreeDOS and flash the ROM from Linux - Ubuntu (Trust Tahr 6.0), in fact.
I see the warning about the mainboard-specific code but I couldn't tally that with any action I should take. I saw that the ASUS P4P800 is supported and that it is autodetected. I also tried putting different strings after mainboard, whilst simply probing the hardware: =ASUS, =P4P800, =ASUS P4P800, =ASUS:P4P800. Each generated an error. Removing the = and everything after it worked - the probe worked without error. That gave me confidence that I'd understood the autodetect part.
Which model of P4P800 is this? Is it the P4P800-VM? If I recall correctly, a newer release of flashrom (0.9.7 or 0.9.8) will detect the supported (sub)model. Source: I had an ASUS P4P800-VM.
Regards
Alan K
HTH,
Idwer
# ./flashrom -p internal:mainboard -E flashrom v0.9.6.1-r1563 on Linux 3.14.20 (i686) flashrom is free software, get the source code at http://www.flashrom.org
Calibrating delay loop... OK. Found chipset "Intel ICH5/ICH5R". Enabling flash write... OK. WARNING: Your mainboard is ASUS P4P800, but the mainboard-specific code has not been tested, and thus will not be executed by default. Depending on your hardware environment, erasing, writing or even probing can fail without running the board specific code.
Please see the man page (section PROGRAMMER SPECIFIC INFO, subsection "internal programmer") for details. Unhandled programmer parameters: mainboard Found PMC flash chip "Pm49FL004" (512 kB, LPC, FWH) at physical address 0xfff80000. Erasing and writing flash chip... ERASE FAILED at 0x00001c40 ! Expected=0xff, Read=0x44, failed byte count from 0x00001000-0x00001fff: 0x3a2 ERASE FAILED! Reading current flash chip contents... done. ERASE FAILED at 0x00001c40 ! Expected=0xff, Read=0x44, failed byte count from 0x00000000-0x0000ffff: 0xe2c5 ERASE FAILED! Reading current flash chip contents... done. ERASE FAILED at 0x00001c40 ! Expected=0xff, Read=0x44, failed byte count from 0x00000000-0x0007ffff: 0x7a92c ERASE FAILED! FAILED! Your flash chip is in an unknown state. Get help on IRC at chat.freenode.net (channel #flashrom) or mail flashrom@flashrom.org with the subject "FAILED: <your board name>"!
DO NOT REBOOT OR POWEROFF!
A non-text attachment MR-F0000.BIN has been stripped. It is available at http://paste.flashrom.org/view.php?id=2783
flashrom mailing list flashrom@flashrom.org http://www.flashrom.org/mailman/listinfo/flashrom